ThreatFabric experts report that the Android-based banking Trojan Cerberus has learned to steal two-factor authentication codes (2FA) generated by the Google Authenticator application and thus bypass protection.
Historically, malware for mobile banking was developed and used primarily to access and steal information that is applicable for financial fraud. With the development of fraud detection mechanisms used by financial institutions and the introduction of 2FA, it became more difficult for criminals to use described above methods without detection.RATs are criminals’ Holy Grail, as they offer the ability to perform fraudulent transactions directly from the infected (victim) device. By doing so, criminals are making it substantially harder to detect fraudulent transactions without a client-based detection solution”, — write ThreatFabric researchers.
We already talked about the work of RAT for Android using the Gustuff banker as an example.
The Google Authenticator app was launched ten years ago, in 2010. The application is positioned as an alternative to single-use SMS password. Since Google Authenticator codes are generated on the user’s device and not transmitted through insecure mobile networks, accounts that use Google Authenticator for two-factor authentication are considered more secure.
Security professionals discovered the Cerberus malware in the summer of 2019. Then it was reported that Cerberus does not use any vulnerabilities and is distributed exclusively through social engineering. Malware allows attackers to establish full control over an infected device, and also has functions of a classic banker, such as using overlays, SMS control, and extracting a contact list.
In a new report, ThreadFabric experts assess the latest versions of Cerberus as a very advanced malware.
Cerberus currently uses features that are typically found in Remote Access Trojans (RATs). These features allow Cerberus operators to remotely connect to an infected device, change device settings, install and remove applications, use the victim’s credentials to access online banking, and steal one-time passwords from Google Authenticator to bypass two-factor authentication (if any)”, – report ThreadFabric experts.
Apparently, the new feature that allows stealing 2FA codes is not yet included in the current version of Cerberus, and is not advertised and sold on hacker forums. According to researchers, this version of Cerberus is still at the stage of testing.
Abusing accessibility privileges, the Trojan can steal 2FA codes from the Google Authenticator application. When the [Authenticator] application is launched, the Trojan is able to extract the contents of the interface and send it to its managing server”, – say the experts.
ThreatFabric analysts believe that Cerberus will most likely use this feature to bypass two-factor authentication in banks, but nothing prevents attackers from bypassing 2FAs for other types of accounts, including mailboxes, repositories, social network accounts, and so on.